You should be able to to echo out a phpinfo(); on a page in that directory to scope this directory out.

.htpasswd file

css-tricks:csmBH6tTLNZBE

That is what the contents of the .htpasswd file should look like. One username and password per line, separated by a colon. Notice the password is encrypted though. You will need to use a special tool to encrypt your password in this way (MD5). David Walsh has a tool just for this.

In fact, I obviously first learned this from David as pretty much this exact same tip is on his site. Still, I think it's worthy of re-posting because this is an extremely useful tool to have in your toolbox.

To Robert Augustin: MD5 is a one-way cryptographic hash function. Therefore it is impossible to decrypt a hashed password to get its original value. The way this authentication method works (I assume) is that the user enters a password, which is hashed and compared to the stored password hash for that username. If the two match, then authentication is successful. This negates the need for storing plain-text or decryptable passwords. MD5 does have its problems, however, and it is possible to find a text string which generates the same hash value as a stored password. To prevent this, a ‘salt’ value should be used when hashing..

Anton,
Thank you. If I understand correctly, that would call for a hash generator that adds salt values before encrypting the string. I don’t know if the above mentioned one (by David Walsh) does that – but I know how this works now :)

Newbie question: How do I save .htpasswd and .htaccess files? I am having trouble saving them from TextMate and when I rename them after I FTP them, they disappear. What am I doing wrong?Also, from 1 to 10, how safe is this? Could I protect real stuff behind this or is this more for beta websites and such?

MD5 hashes can be cracked with the use of rainbow tables.
Does the password generator with Apache generate salted hashes ? I don’t think it does.

As someone else already commented, the password file really should be stored outside of the web accessable tree. And the .htaccess file should be configured (by default in recent Apache) to not be browsable.

Great tip, as usual! Congratulations for this website, my favourite at the moment! I’m not an expert at all, so regarding John comment above, how can I store the file outside of the web accessable tree? And how can I configure .htaccess to not be browsable? Thank you in advance!

For anyone hosting on GoDaddy, the easiest way to do this is through your account manager. I tried doing it manually for quite a while after reading this tutorial, and I couldn’t get it to work properly. I finally found this article explaining another way to do it (and maybe the only way on GoDaddy) – http://help.godaddy.com/article/4057#protect

Have you ever seen where a browser will require the authentication multiple times before going through? I set up a password protected directory a while back through my host’s admin panel. I have access to the .htaccess file, but from what I can tell, not the .htpasswd. Everything in the .htaccess seems to be the same as you’ve outlined above, except the last line: it reads require user myusernamehereinstead of:require valid-user I assume the encrypted password is the only thing in the .htpasswd file. In any case, do you think this could be a browser issue, or something in the way the host sets it up? I’ve tried to replicate the issue on other computers, but it never seems to be consistent.I suppose I could scrap the “admin panel way” and create my own files as this post suggests…. :)

The hash algorithm used in the example .htpasswd in the article doesn’t look like MD5 at all, looks more like crypt() which is the default (except in Windows).
MD5 is not encryption, it’s a one way hash/digest algorithm. Despite the name, crypt() is not an encryption either.
Putting .htpasswd in the same directory as .htaccess, increases the chance of exposing the user and password hashes publicly. It’s probably wiser to put it outside of Apache’s DocumentRoot completely. Recent installations of Apache httpd probably has a rule that blocks direct access to .htaccess and .htpasswd files by default, but it’s not always the case.

Also, for those on Windows, Notepad will save it if you enclose the filename in quotes (“.htaccess”) and choose “All Files” instead of .txt files. I don’t know is ANSI or UTF-8 encoding makes a difference. I don’t use Notepad for .htaccess files anyhow.

Before I ask my question, I’d just like to thank you for taking the time to make this website and offering your advice and expertise in the area of CSS. You have caused my knowledge in this area to grow “big time”.

Now…my question…is there a way to use CSS to make the htaccess/htpasswrd look any way that I want to? Just like I would a regular html page?

Thank you for your response. I am looking for a way to produce a login page for a website that I am developing. I like the idea of the “ht” method…but I want to make sure that I can control the look and feel of the page.

It should also be mentioned that this is not the preferred method for securing directories in the case where you have access to Apache’s config (httpd.conf). You should configure directory security from there if you have access.

As mentioned this won’t work on anything but Apache. Also, it won’t work if the directory you’re attempting to implement it in has: AllowOverride none

How about a folder that you want to protect (not even read only to the public as it may have private code or passwords) but needs to be accessible by the webpages. For instance, a css subfolder, javascript subfolder, or a config subfolder with database username password, etc.

Any idea when I upload all the files, the directory asks for the username and password, it doesn’t accept the password? It just keeps popping the login screen back up again and again. I used htpasswd command in terminal (mac) to generate the passwords. Any ideas?

Thanks for this great tip. But is it possible that every time the user should provide username and password because on chrome while entering once username and password it opens all other times without entering credentials. Please help me out if there is way out.

I have the same problem Keshav Gyawali is having. I installed the files on my site, and went to my friend’s house to show him how to log in. He uses MS Internet Explorer (not Chrome, like K.G.) and, once we logged in the first time, just typing in the address took him back to the site, without the need to re-enter the password.